Business audit: what is it really for?

Updated April 2026 - The company audit is frequently invoked as a universal solution to governance, compliance or performance problems. In reality, audit covers very différent missions depending on its type, objective and legal framework. Understanding these distinctions is the prerequisite for extracting real value from any engagement, whether you are a CEO, CFO, investor or legal officer.

To complete, also see How to do an audit, Compliance audit and Financial reporting.

Company audit breaks down into four main families, each with distinct purposes:

Statutory audit (commissariat aux comptes) is governed by Articles L820-1 and following of the French Commercial Code. Its purpose is to certify the annual financial statements and provide assurance to third parties (banks, investors, shareholders) that the accounts give a true and fair view of the company's economic reality. It is performed by a registered statutory auditor (commissaire aux comptes) enrolled with the H2A.

Contractual audit is a voluntary engagement commissioned by management, shareholders, or a third party (acquirer, partner). It may take the form of a financial due diligence before an acquisition, a contribution audit (commissariat aux apports) on formation or a capital increase, or a consolidation audit for a group not subject to statutory audit requirements.

Internal audit is a permanent function organised within the company that evaluates the effectiveness of internal controls, risk management systems and governance. It should not be confused with management control (contrôle de gestion), which is more focused on financial performance management.

Operational audit evaluates business processes, information systems, procurement or human resources. It aims to identify inefficiencies, waste and risk areas in the organisation's day-to-day operations.

In France, the appointment of a commissaire aux comptes is mandatory for commercial companies (SA, SAS, SARL, SNC, etc.) that exceed at least two of the following three thresholds over two consecutive financial years:

• Revenue (excluding VAT) above EUR 8 million
• Balance sheet total above EUR 4 million
• Number of employees above 50

These thresholds were set by the PACTE Law of 2019, which significantly raised the previous ceilings. Companies that do not reach these thresholds are no longer required to appoint a statutory auditor, unless their articles of association provide for it, or shareholders representing one-third of the capital request it (Article L823-1 of the Commercial Code).

Note: corporate groups, even where individual subsidiaries do not reach the thresholds, may be subject to statutory audit at the level of the consolidating parent company.

Even without a legal obligation, many situations justify commissioning a contractual audit:

• Before a sale or acquisition: the acquirer commissions financial and legal due diligence to verify the quality of accounts, identify hidden liabilities, and define warranty of assets and liabilities (garantie d'actif et de passif).
• During a capital increase or fundraising: investors require an independent review of financial statements before committing.
• For a contribution audit (commissariat aux apports): required in certain SARL or SAS configurations when assets are contributed in kind, the auditor verifies the value of the contributed assets.
• To reassure financial partners: a lending bank or industrial partner may condition its commitment on the production of an independent audit report.

Internal audit assesses whether internal control systems function as intended. It answers: "do our processes genuinely protect us from major risks?". Its scope encompasses the reliability of financial information, compliance with laws and regulations, asset security, and operational effectiveness.

Management control, on the other hand, steers financial performance: budget monitoring, variance analysis, forecasting. The two functions are complementary but not interchangeable. In SMEs, both rôles are often held by the CFO or an external firm that balances both responsibilities.

Operational audit targets concrete processes: how are orders processed? How are invoices validated? Are inventories properly valued? Do IT access rights match organisational responsibilities?

The methodology rests on a risk map: identifying critical processes, assessing the probability and impact of each risk, rating the current level of control, and then formulating prioritised recommendations. This exercise produces a clear view of risk areas that neither accounting nor reporting necessarily surfaces.

Every serious audit engagement begins with precise scoping. The engagement letter defines the audited scope (entities, periods, processes), the évaluation criteria (accounting standards, internal benchmarks, regulatory requirements), the expected deliverables and the timetable. This document is signed by both parties before work begins.

Scoping also includes entity familiarisation: sector, business model, internal organisation, identified inherent risks, history of previous anomalies. An auditor who starts without this knowledge will produce a generic report with no real added value.

The evidence-gathering phase rests on four types of work:

• Interviews with key managers (CFO, operations director, legal counsel, existing statutory auditor) to understand processes and identify areas of vulnerability
• Procedure tests: verification that the internal controls described in procedure manuals are actually applied (e.g. dual approval of payments above a defined threshold)
• Substantive sampling: verification by sample of the reality of transactions (e.g. checking 50 supplier invoices over the past 6 months)
• Analytics: comparison of trends, ratios and indicators against sector benchmarks and prior periods to identify statistical anomalies

The quality of evidence collected directly determines the solidity of conclusions. A finding without documented evidence is merely an opinion.

The audit report structures conclusions across three levels:

Findings: factual and documented description of what was observed. Each finding cites the evidence collected.

Associated risks: assessment of the potential impact if the finding is not addressed. Risk classification (critical, major, moderate, minor) enables management to prioritise its actions.

Recommendations: concrete, actionable proposals to address each finding, with a suggested owner, an implementation horizon and monitoring indicators.

Hayot Expertise Advice: an audit report that lists 50 findings without prioritising them does not help management act. The added value of a skilled auditor is to distinguish the 5 to 7 critical points on which to concentrate the teams' energy in the first 90 days.

The audit report reading must be followed by a debrief meeting with management. This meeting should not be limited to presenting findings: it must result in a formalised action plan, with a named owner for each recommendation, an implementation date and a follow-up mechanism.

In practice, three types of decisions emerge from a well-conducted audit:

1. Immediate corrective decisions: regularising a tax non-compliance, correcting a defective procedure, strengthening a missing internal control
2. Optimisation decisions: restructuring a costly process, renegotiating an overpriced supplier contract, automating a repetitive task prone to error
3. Strategic decisions: reconsidering a distribution model, repositioning a product range, making a decision on an unprofitable subsidiary

An audit is not an end in itself. Its real value is measured by the decisions it enables, not the volume of the report it produces.

(Official sources: H2A professional practice standards, H2A triennial report on the statutory audit market, Bpifrance Creation on management dashboards)